June 2015

06/30/2015

I have written about SSD drives in the past and especially mentioned a Samsung drive as an upgrade. CNet has now identified five SSDs that you should consider for purchase. The price of SSDs has come down so that the premium performance will not cost you a huge amount of money. The five recommended drives include:

Transcend SSD370S

Crucial MX200

Samsung SSD 850 Evo (my personal favorite)

Samsung SSD 850 Pro

SanDisk Extreme Pro

It should take you less than an hour to upgrade to a new SSD. Some of the drives come with software to clone your existing drive, but you may want to check out Macrium Reflect Free if the drive you purchase does not.

06/29/2015

Default passwords are not unusual. Cisco has revealed that there are default pre-authorization keys for SSH sessions for some of its network security appliances. Apparently, the default keys were intended for “customer support” purposes. When the bad guys get the keys, their “support” means unauthorized access. Not a good thing. Cisco’s advisory mentions that there are two separate SSH key vulnerabilities for the Cisco Web Security Virtual Appliance (WSAv), Cisco Email Security Virtual Appliance (ESAv), and Cisco Security Management Virtual Appliance (SMAv). The good news is that Cisco has released a patch to plug the holes.

06/25/2015

Office has been available for Android tablets since January, but now you can install Microsoft Office on your Android phone for free. Apparently, the Office apps are a little light on the smartphone and don’t have the full functionality as the tablet version. It’s still better than not having Office at all. The new offering includes Word, Excel and PowerPoint. It integrates with OneDrive and Dropbox too. The new Office apps require your phone to be running Kit Kat (4.4.x) or higher and 1 GB of RAM. Each app (Word, Excel & PowerPoint) are separate downloads and are not grouped together into a single Office app like the previous Office Mobile. The apps are pretty beefy. When I installed them, Word is 176 MB, Excel is 168 MB and PowerPoint is 166 MB in size. As with the other Office apps, signing in with a free Microsoft account or having an Office 365 subscriptions unlocks more features.

06/24/2015

It isn’t quite a do over, but Google has officially released the “undo send” function. It appears to function similar to the delay send feature of Outlook. Basically, you define an amount of time from when you click 'send' to when the message actually transmits. Click on the gear icon and go to “Settings” under your profile picture. Scroll down to the “Undo send:” option and check the box. You can then select the timer to be 5, 10, 20 or 30 seconds of delay. Don't forget to save the changes.

06/23/2015

Despite the predictions of some, passwords are not dead. We are constantly looking to improve our authentication methods. The latest attempt is to use emojis as password replacements. Intelligent Environments, a British company, has announced a system that uses a pool of 44 emojis for authentication. They system is easier to remember and is harder to crack than a normal passcode. As an example, there are 10,000 possible combinations with a 4 digit PIN as compared to 3.75 million combinations using 4 emojis. I don’t think emojis will be the answer to our authentication problems. I still predict multi-factor authentication will win out.

06/22/2015

So much for the perceived safety of Apple products. Ars technicareports that researchers have discovered huge holes in the application sandboxes that are intended to protect Apple’s OS X and iOS operating systems. This means that the bad guys can create apps that can lift iCloud, Gmail and banking passwords along with data from the popular 1Password, Evernote and other apps.

Think you’re safe because of the walled garden approval requirement for the Apple Store? Guess again. The researchers were able to submit an app designed to bypass sandboxing protections, which was approved and vetted by Apple engineers to be safe. To quote the researchers paper, "For example, on the latest Mac OS X 10.10.3, our sandboxed app successfully retrieved from the system's keychain the passwords and secret tokens of iCloud, email and all kinds of social networks stored there by the system app Internet Accounts, and bank and Gmail passwords from Google Chrome." They also intercepted passwords from 1Password and the secret token for Evernote. Pretty scary stuff.

Apparently, there isn’t much end users can do other than wait for Apple to fix the problem. If history is any indicator, it’s going to be a long time before the hole is plugged.

06/18/2015

It seems like we hear of at least one data breach a week these days. One of the latest victims is LastPass, a popular password manager for storing all of your passwords. According to a post on its website, “LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.” The data contained in a user’s encrypted vault was not compromised, which is a good thing. Obviously, the recommendation is to change your master password.

I know a lot of folks use LastPass, but I’ve never been a fan of putting your login passwords in the cloud. I would much rather have control over my encrypted vault, which is why I use eWallet as my password manager. Besides having my encrypted vault stored locally and backed up, I synchronize with my mobile devices so that my credentials (passwords, frequent flyer numbers, hotel rewards numbers, passport information, etc.) are accessible on my smartphone when I travel. There are many choices of password managers that store data in the cloud or locally. No matter which one you use, make sure your master password is a strong one.

06/17/2015

Encryption used to be hard. Today, it’s pretty easy and not expensive. A lot of products actually include encryption capability for no additional charge. As an example, put a password on a Word, PDF or WinZip file and it encrypts the contents. You can also encrypt the contents of a hard disk with some versions of the operating system.

The latest concern is whether there are any backdoors built into the encryption product that provides folks like the NSA unencrypted access to the data. In a sudden move, TrueCrypt was modified and announced to be insecure. PGP (Pretty Good Privacy) is considered to be strong encryption, even after being acquired by Symantec. In other words, are commercial vendors being pressured to build a method to allow government’s access to your private data? Noted security guru, Bruce Schneier, used to be a big PGP fan. He has since jumped ship and moved over to using Microsoft’s Bitlocker encryption. I don’t think you can get a much better endorsement than that. Bitlocker is included with Windows 8.1, but is not enabled by default. Make sure you turn on Bitlocker and don’t forget to backup the encryption key!

06/16/2015

The big tech news is that on July 29 Microsoft will make Windows 10 available as a free upgrade for existing Windows 7, Windows 8 and Windows 8.1 users. To prepare for the download of Windows 10, Microsoft released an update (KB3035583) for Windows 7 (Optional) and Windows 8.1 (Recommended) that is called Get Windows 10 app. The update provides a prompt for the user to have the option of reserving your copy of Windows 10. But what if you don’t want to be prompted or even download the Windows 10 upgrade? The easiest way is to uninstall KB3035583 from the installed updates. You can then select “Hide this update” so that it doesn’t inadvertently gets installed later.

06/15/2015

I’ve never been a big fan of Microsoft’s security products. But the recent story in Ars Technica has me rethinking that posture. I particularly like that Microsoft is now starting to classify some “convenience” products as malware. The latest target is the Ask Toolbar, which is automatically installed with each Java update unless you uncheck the box. Apparently, the move doesn’t impact a large number of users, but it’s a good first step. I hate having to uncheck all the boxes to not install software I don’t want in the first place. It’s not just Java updates either. Other software and updates will typically install browser plugins that you never wanted. Let’s hope the other providers of security products begin to classify the unwanted plugins as malware.

Sensei Enterprises, Inc.

3975 University Drive
Suite 225
Fairfax, VA 22030
703.359.0700

Disclaimer

This blog is intended to impart general information and does not offer specific legal advice. Use of this blog does not create an attorney-client relationship. If you require legal advice, consult an attorney.